fw-daemon/sgfw/sgfw.go

package main

import (
	"os"
	"os/signal"
	"regexp"
	"sync"
	"syscall"
	"time"
	"unsafe"

	"github.com/op/go-logging"

	"github.com/subgraph/fw-daemon/nfqueue"
	"github.com/subgraph/go-procsnitch"
)

var log = logging.MustGetLogger("sgfw")

var logFormat = logging.MustStringFormatter(
	"%{level:.4s} %{id:03x} %{message}",
)
var ttyFormat = logging.MustStringFormatter(
	"%{color}%{time:15:04:05} ▶ %{level:.4s} %{id:03x}%{color:reset} %{message}",
)

const ioctlReadTermios = 0x5401

func isTerminal(fd int) bool {
	var termios syscall.Termios
	_, _, err := syscall.Syscall6(syscall.SYS_IOCTL, uintptr(fd), ioctlReadTermios, uintptr(unsafe.Pointer(&termios)), 0, 0, 0)
	return err == 0
}

func setupLoggerBackend(lvl logging.Level) logging.LeveledBackend {
	format := logFormat
	if isTerminal(int(os.Stderr.Fd())) {
		format = ttyFormat
	}
	backend := logging.NewLogBackend(os.Stderr, "", 0)
	formatter := logging.NewBackendFormatter(backend, format)
	leveler := logging.AddModuleLevel(formatter)
	leveler.SetLevel(lvl, "sgfw")
	return leveler
}

type Firewall struct {
	dbus *dbusServer
	dns  *dnsCache

	enabled bool

	logBackend logging.LeveledBackend

	lock      sync.Mutex
	policyMap map[string]*Policy
	policies  []*Policy

	ruleLock   sync.Mutex
	rulesById  map[uint]*Rule
	nextRuleId uint

	reloadRulesChan chan bool
	stopChan        chan bool
}

func (fw *Firewall) setEnabled(flag bool) {
	fw.lock.Lock()
	defer fw.lock.Unlock()
	fw.enabled = flag
}

func (fw *Firewall) isEnabled() bool {
	fw.lock.Lock()
	defer fw.lock.Unlock()
	return fw.enabled
}

func (fw *Firewall) clearRules() {
	fw.ruleLock.Lock()
	defer fw.ruleLock.Unlock()
	fw.rulesById = nil
	fw.nextRuleId = 0
}

func (fw *Firewall) addRule(r *Rule) {
	fw.ruleLock.Lock()
	defer fw.ruleLock.Unlock()

	r.id = fw.nextRuleId
	fw.nextRuleId += 1
	if fw.rulesById == nil {
		fw.rulesById = make(map[uint]*Rule)
	}
	fw.rulesById[r.id] = r
}

func (fw *Firewall) getRuleById(id uint) *Rule {
	fw.ruleLock.Lock()
	defer fw.ruleLock.Unlock()

	if fw.rulesById == nil {
		return nil
	}
	return fw.rulesById[id]
}

func (fw *Firewall) stop() {
	fw.stopChan <- true
}

func (fw *Firewall) reloadRules() {
	fw.reloadRulesChan <- true
}

func (fw *Firewall) runFilter() {
	q := nfqueue.NewNFQueue(0)
	defer q.Destroy()

	q.DefaultVerdict = nfqueue.DROP
	q.Timeout = 5 * time.Minute
	packets := q.Process()

	for {
		select {
		case pkt := <-packets:
			if fw.isEnabled() {
				fw.filterPacket(pkt)
			} else {
				pkt.Accept()
			}
		case <-fw.reloadRulesChan:
			fw.loadRules()
		case <-fw.stopChan:
			return
		}
	}
}

var commentRegexp = regexp.MustCompile("^[ \t]*#")

func main() {
	readConfig()
	logBackend := setupLoggerBackend(FirewallConfig.LoggingLevel)
	log.SetBackend(logBackend)
	procsnitch.SetLogger(log)

	if os.Geteuid() != 0 {
		log.Error("Must be run as root")
		os.Exit(1)
	}

	setupIPTables()

	ds, err := newDbusServer()
	if err != nil {
		log.Error(err.Error())
		os.Exit(1)
	}

	fw := &Firewall{
		dbus:            ds,
		dns:             NewDnsCache(),
		enabled:         true,
		logBackend:      logBackend,
		policyMap:       make(map[string]*Policy),
		reloadRulesChan: make(chan bool, 0),
		stopChan:        make(chan bool, 0),
	}
	ds.fw = fw

	fw.loadRules()

	fw.runFilter()

	// observe process signals and either
	// reload rules or shutdown firewall service
	sigKillChan := make(chan os.Signal, 1)
	signal.Notify(sigKillChan, os.Interrupt, os.Kill)

	sigHupChan := make(chan os.Signal, 1)
	signal.Notify(sigHupChan, syscall.SIGHUP)

	for {
		select {
		case <-sigHupChan:
			fw.reloadRules()
		case <-sigKillChan:
			fw.stop()
			return
		}
	}
}
Initial commit 9 years ago			`package main`

			`import (`
			`"os"`
			`"os/signal"`
Replace hardcoded socks proxy chain with json config file 9 years ago			`"regexp"`
			`"sync"`
			`"syscall"`
Initial commit 9 years ago			`"time"`
Replace hardcoded socks proxy chain with json config file 9 years ago			`"unsafe"`
Initial commit 9 years ago
ADDED: System rules ADDED: Persistant configs ADDED: Prompt configurations (default action, advanced options, auto expand) FIXED: Default focus on prompt FIXED: Bug in display of *:<port> rule FIXED: Updated ui to gnome >= 3.20 8 years ago			`"github.com/op/go-logging"`

Initial commit 9 years ago			`"github.com/subgraph/fw-daemon/nfqueue"`
Use go-procsnitch, remove code duplication 9 years ago			`"github.com/subgraph/go-procsnitch"`
Initial commit 9 years ago			`)`

			`var log = logging.MustGetLogger("sgfw")`
Only include timestamp and colors in log if stderr is terminal 9 years ago
			`var logFormat = logging.MustStringFormatter(`
			`"%{level:.4s} %{id:03x} %{message}",`
			`)`
			`var ttyFormat = logging.MustStringFormatter(`
Initial commit 9 years ago			`"%{color}%{time:15:04:05} ▶ %{level:.4s} %{id:03x}%{color:reset} %{message}",`
			`)`
Various changes to support settings dialog 9 years ago
Only include timestamp and colors in log if stderr is terminal 9 years ago			`const ioctlReadTermios = 0x5401`

			`func isTerminal(fd int) bool {`
			`var termios syscall.Termios`
			`_, _, err := syscall.Syscall6(syscall.SYS_IOCTL, uintptr(fd), ioctlReadTermios, uintptr(unsafe.Pointer(&termios)), 0, 0, 0)`
			`return err == 0`
			`}`
Initial commit 9 years ago
ADDED: System rules ADDED: Persistant configs ADDED: Prompt configurations (default action, advanced options, auto expand) FIXED: Default focus on prompt FIXED: Bug in display of *:<port> rule FIXED: Updated ui to gnome >= 3.20 8 years ago			`func setupLoggerBackend(lvl logging.Level) logging.LeveledBackend {`
Only include timestamp and colors in log if stderr is terminal 9 years ago			`format := logFormat`
dependencies vendored 9 years ago			`if isTerminal(int(os.Stderr.Fd())) {`
Only include timestamp and colors in log if stderr is terminal 9 years ago			`format = ttyFormat`
			`}`
Initial commit 9 years ago			`backend := logging.NewLogBackend(os.Stderr, "", 0)`
			`formatter := logging.NewBackendFormatter(backend, format)`
			`leveler := logging.AddModuleLevel(formatter)`
ADDED: System rules ADDED: Persistant configs ADDED: Prompt configurations (default action, advanced options, auto expand) FIXED: Default focus on prompt FIXED: Bug in display of *:<port> rule FIXED: Updated ui to gnome >= 3.20 8 years ago			`leveler.SetLevel(lvl, "sgfw")`
Various changes to support settings dialog 9 years ago			`return leveler`
Initial commit 9 years ago			`}`

			`type Firewall struct {`
			`dbus *dbusServer`
			`dns *dnsCache`

Various changes to support settings dialog 9 years ago			`enabled bool`

			`logBackend logging.LeveledBackend`

Initial commit 9 years ago			`lock sync.Mutex`
			`policyMap map[string]*Policy`
			`policies []*Policy`
Various changes to support settings dialog 9 years ago
			`ruleLock sync.Mutex`
			`rulesById map[uint]*Rule`
			`nextRuleId uint`
Move process signal subscribe to Main this is so that we can respond to signals with components outside of the Firewall... in this case i'm thinking of the SOCKS proxy chain service 9 years ago
			`reloadRulesChan chan bool`
			`stopChan chan bool`
Various changes to support settings dialog 9 years ago			`}`

			`func (fw *Firewall) setEnabled(flag bool) {`
			`fw.lock.Lock()`
			`defer fw.lock.Unlock()`
			`fw.enabled = flag`
			`}`

			`func (fw *Firewall) isEnabled() bool {`
			`fw.lock.Lock()`
			`defer fw.lock.Unlock()`
			`return fw.enabled`
			`}`

			`func (fw *Firewall) clearRules() {`
			`fw.ruleLock.Lock()`
			`defer fw.ruleLock.Unlock()`
			`fw.rulesById = nil`
			`fw.nextRuleId = 0`
			`}`

			`func (fw Firewall) addRule(r Rule) {`
			`fw.ruleLock.Lock()`
			`defer fw.ruleLock.Unlock()`

			`r.id = fw.nextRuleId`
			`fw.nextRuleId += 1`
			`if fw.rulesById == nil {`
			`fw.rulesById = make(map[uint]*Rule)`
			`}`
			`fw.rulesById[r.id] = r`
			`}`

			`func (fw Firewall) getRuleById(id uint) Rule {`
			`fw.ruleLock.Lock()`
			`defer fw.ruleLock.Unlock()`

			`if fw.rulesById == nil {`
			`return nil`
			`}`
			`return fw.rulesById[id]`
Initial commit 9 years ago			`}`

Move process signal subscribe to Main this is so that we can respond to signals with components outside of the Firewall... in this case i'm thinking of the SOCKS proxy chain service 9 years ago			`func (fw *Firewall) stop() {`
			`fw.stopChan <- true`
			`}`

			`func (fw *Firewall) reloadRules() {`
			`fw.reloadRulesChan <- true`
			`}`

Initial commit 9 years ago			`func (fw *Firewall) runFilter() {`
			`q := nfqueue.NewNFQueue(0)`
			`defer q.Destroy()`

			`q.DefaultVerdict = nfqueue.DROP`
			`q.Timeout = 5 * time.Minute`
			`packets := q.Process()`

			`for {`
			`select {`
			`case pkt := <-packets:`
Various changes to support settings dialog 9 years ago			`if fw.isEnabled() {`
			`fw.filterPacket(pkt)`
			`} else {`
			`pkt.Accept()`
			`}`
Move process signal subscribe to Main this is so that we can respond to signals with components outside of the Firewall... in this case i'm thinking of the SOCKS proxy chain service 9 years ago			`case <-fw.reloadRulesChan:`
Reload config upon HUP signal 9 years ago			`fw.loadRules()`
Move process signal subscribe to Main this is so that we can respond to signals with components outside of the Firewall... in this case i'm thinking of the SOCKS proxy chain service 9 years ago			`case <-fw.stopChan:`
Initial commit 9 years ago			`return`
			`}`
			`}`
			`}`

Replace hardcoded socks proxy chain with json config file 9 years ago			`var commentRegexp = regexp.MustCompile("^[ \t]*#")`

Pass the dbusServer to the SOCKS5 proxy chain 9 years ago			`func main() {`
ADDED: System rules ADDED: Persistant configs ADDED: Prompt configurations (default action, advanced options, auto expand) FIXED: Default focus on prompt FIXED: Bug in display of *:<port> rule FIXED: Updated ui to gnome >= 3.20 8 years ago			`readConfig()`
			`logBackend := setupLoggerBackend(FirewallConfig.LoggingLevel)`
Various changes to support settings dialog 9 years ago			`log.SetBackend(logBackend)`
Use go-procsnitch, remove code duplication 9 years ago			`procsnitch.SetLogger(log)`
Initial commit 9 years ago
			`if os.Geteuid() != 0 {`
			`log.Error("Must be run as root")`
			`os.Exit(1)`
			`}`

			`setupIPTables()`

Use system bus 9 years ago			`ds, err := newDbusServer()`
Initial commit 9 years ago			`if err != nil {`
			`log.Error(err.Error())`
			`os.Exit(1)`
			`}`

			`fw := &Firewall{`
Move process signal subscribe to Main this is so that we can respond to signals with components outside of the Firewall... in this case i'm thinking of the SOCKS proxy chain service 9 years ago			`dbus: ds,`
			`dns: NewDnsCache(),`
			`enabled: true,`
			`logBackend: logBackend,`
			`policyMap: make(map[string]*Policy),`
			`reloadRulesChan: make(chan bool, 0),`
			`stopChan: make(chan bool, 0),`
Initial commit 9 years ago			`}`
Various changes to support settings dialog 9 years ago			`ds.fw = fw`
Initial commit 9 years ago
			`fw.loadRules()`

			`fw.runFilter()`
Move process signal subscribe to Main this is so that we can respond to signals with components outside of the Firewall... in this case i'm thinking of the SOCKS proxy chain service 9 years ago
			`// observe process signals and either`
			`// reload rules or shutdown firewall service`
			`sigKillChan := make(chan os.Signal, 1)`
			`signal.Notify(sigKillChan, os.Interrupt, os.Kill)`

			`sigHupChan := make(chan os.Signal, 1)`
			`signal.Notify(sigHupChan, syscall.SIGHUP)`

			`for {`
			`select {`
			`case <-sigHupChan:`
			`fw.reloadRules()`
			`case <-sigKillChan:`
			`fw.stop()`
			`return`
			`}`
			`}`
Initial commit 9 years ago			`}`